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IN THE UNITED STATES DISTRICT COURT 
FOR THE DISTRICT OF COLUMBIA 

IN THE MATTER OF THE SEARCH OF 



School of Nursing and Health 

105 Saint Mary's Hall 

Georgetown University, Washington, D.C. 



FILED UNDER SEAL 



APPLICATION AND AFFIDAVIT FOR SEARCH WARRANT 
I, Stephen K. Schmidt, being duly sworn, hereby depose and state as follows: 
I. INTRODUCTION 

1 . I am a Special Agent (SA) with the Federal Bureau of Investigation (FBI), and 
have been so employed for approximately seven and a half years. I am currently assigned to the 
Cyber Crimes Squad, Washington Field Office. The Squad's primary mission is to investigate 
crimes involving computer intrusions and intellectual property right (copyright) violations. 

A. Agent Background 

2. My experience as an FBI Agent has included the investigation of cases involving 
the use of computers and the Internet to commit violations of fraud, intrusion and intellectual 
property laws. I have received training and gained experience in interviewing and interrogation 
techniques, arrest procedures, search warrant applications, the execution of searches and seizures, 
computers crimes, intellectual property and other computer-based crimes, computer evidence 
identification, computer evidence seizure and processing, and various other criminal laws and 
procedures. I have personally participated in the execution of search warrants involving the 
search and seizure of computer equipment, and have received training and certification in the 
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seizure of digital evidence. 

3. I make this affidavit in support of an application by the United States of America 
for the issuance of a warrant to search the computers described more fully in Attachment A, 
which items constitute evidence, contraband, fruits, or instrumentalities of violations of the 
criminal copyright and conspiracy laws, namely Title 18, United States Code, Section 2319 and 
Title 17, United States Code, Section 506 (Criminal copyright infringement); Title 18, United 
States Code, Section 2319B (Unauthorized recording of Motion pictures in a Motion picture 
exhibition facility); Title 17 United States Code, Section 1201 (Circumvention of copyright 
protection systems) and Section 1204 (Criminal offenses and penalties); Title 18 United States 
Code, Section 371 (Conspiracy to commit the foregoing offenses), and Section 2 (Aiding and 
Abetting the foregoing offenses). 

4. The facts set forth in this affidavit are based on my own personal knowledge; 
knowledge obtained from other individuals during my participation in this investigation, 
including other law enforcement officers; interviews of a cooperating witness, as related to me by 
other law enforcement officers; my review of documents and computer records related to this 
investigation; communications with others who have personal knowledge of the events and 
circumstances described herein; and information gained through my training and experience. 
Because this affidavit is submitted for the limited purpose of establishing probable cause in 
support of the application for a search warrant, it does not set forth each and every fact that I or 
others have learned during the course of this investigation. 

B. Summary 

5. This case involves an undercover investigation of organized groups of individuals 
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and coconspirators - also known as "warez groups" or "warez coconspirators" - engaged in the 
illegal reproduction and distribution of copyright protected software over the Internet, including 
the illegal copying of movies, games, and software, in violation of federal law. The investigation 
stemmed from a Group II Undercover Operation (UCO) initiated by the Federal Bureau of 
Investigation (FBI), San Francisco Division and U.S. Attorney's Office, Northern District of 
California, San Jose Division, in June 2003. During the course of the investigation, investigators 
identified a number of large-scale software piracy groups, also known as "warez groups" or 
"warez coconspirators," engaged in the uploading, copying, duplication, reproduction, and 
distribution of copyright-protected computer software, games, and movies by way of the Internet, 
in violation of federal copyright and conspiracy laws. 

6. During the undercover investigation, two warez sites were established in the 

Northern District of California, known as LAD and CHUD. The second undercover warez site 
(CHUD) alone became an eleven terabyte site. 1 In total, the two warez sites combined with two 
servers (called VS and SNOWCAVE) provided by warez members to date includes 
approximately 27 terabytes of pirated movies, games, and software, making this one of the 
largest undercover warez investigations. Numerous warez groups and coconspirators came to the 
undercover sites to store a large number of movies, games, and software that could be uploaded 
and downloaded by hundreds of individuals. Warez leaders operated and controlled the sites and 
established terms of membership and conditions governing and restricting access. As one of the 
conditions of membership, a warez group had to agree to provide a "first release" of a movie, 



i 



One terabyte equals one trillion bytes, or approximately 700,000 3.5-inch floppy diskettes. 
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game, or software to the undercover operation (UCO) site. Each warez group was allocated a 
negotiated number of slots where the group could allow a certain number of members within 
their group to be on the site. Some warez members were compensated under a credit ratio (also 
known as "ratio access") of one upload amount equal to three downloads (i.e. one gigabyte/three 
gigabytes) as a means of private financial gain. In other words, an individual who uploaded one 
movie could download three movies. In addition, other members paid money to individuals 
outside of the warez conspiracy (referred to as outside suppliers) money to provide them with 
early releases of movies, games, or software. Under this large conspiracy, involving multiple 
individuals and warez groups, hundreds of individuals obtained free, unauthorized access to 
pirated movies, games, and software. The distinct roles of the "warez" coconspirators in this 
case are noted in Section 11(B), below. A Summary of Relevant Computer and Internet Concepts 
as they relate to this investigation are also provided in Section 11(E), below. 
7. As set forth below, investigators have identified 

A. Ray Morada (aka nic rc51), Information Systems Manager at Georgetown 
University as a member of the warez conspiracy under investigation. The evidence gathered 
concerning the warez conspiracy includes, and is not limited to, communications with an 
undercover employee (UCE) by e-mail, telephone, instant messaging, Internet Relay Chats on the 
computer, and the downloading of copyrighted works. The evidence summarized below supports 
a finding of probable cause that the above-listed individual(s) conspired with others to violate 
federal criminal copyright laws, including the reproduction and distribution of copyright- 
protected movies, games, and software, and that the individual(s) did so using multiple 
computers and electronic media located on the computers to be searched. 
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C. Relevant Statutes 

Criminal Copyright Infringement 

8. Title 17, United States Code, Sections 506(a), (b) provides, in pertinent part: 

(a) Criminal Infringement. — (1) In general. —Any person who willfully infringes 
a copyright shall be punished as provided under section 2319 of title 18, if the 
infringement was committed - 

(A) for purposes of commercial advantage or private financial gain; 

(B) by the reproduction or distribution, including by electronic means, 
during any 180-day period, of 1 or more copies or phonorecords of 1 or 
more copyrighted works, which have a total retail value of more than 
$1,000; or 

(C) by the distribution of a work being prepared for commercial 
distribution, by making it available on a computer network accessible to 
members of the public, if such person knew or should have known that the 
work was intended for commercial distribution. 

(b) Forfeiture and Destruction. — When any person is convicted of any 
violation of subsection (a), the court in its judgment of conviction shall, in 
addition to the penalty therein prescribed, order the forfeiture and destruction or 
other disposition of all infringing copies or phonorecords and all implements, 
devices, or equipment used in the manufacture of such infringing copies or 
phonorecords. 

Penalties For Criminal Copyright Infringement 

9. The penalties for violations of Title 17, United States Code, Sections 506, are set 
forth in Title 18, United States Code, Sections 2319(b), (c), (d), which provide in pertinent part: 

(b) Any person who commits an offense under section 506(a)(1)(A) of title 17 — 

(1) shall be imprisoned not more than 5 years, or fined in the amount set 
forth in this title, or both, if the offense consists of the reproduction or 
distribution, including by electronic means, during any 180-day period, of 
at least 10 copies or phonorecords, of 1 or more copyrighted works, which 
have a total retail value of more than $2,500; 

(2) shall be imprisoned not more than 10 years, or fined in the amount set 
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forth in this title, or both, if the offense is a second or subsequent offense 
under paragraph (1); and 

(3) shall be imprisoned not more than 1 year, or fined in the amount set 
forth in this title, or both, in any other case. 

(c) Any person who commits an offense under section 506(a)(1)(B) of title 17, 
United States Code — 

(1) shall be imprisoned not more than 3 years, or fined in the amount set 
forth in this title, or both, if the offense consists of the reproduction or 
distribution of 10 or more copies or phonorecords of 1 or more 
copyrighted works, which have a total retail value of $2,500 or more; 

(2) shall be imprisoned not more than 6 years, or fined in the amount set 
forth in this title, or both, if the offense is a second or subsequent offense 
under paragraph (1); and 

(3) shall be imprisoned not more than 1 year, or fined in the amount set 
forth in this title, or both, if the offense consists of the reproduction or 
distribution of 1 or more copies or phonorecords of 1 or more copyrighted 
works, which have a total retail value of more than $1,000. 

(d) Any person who commits an offense under section 506(a)(1)(C) of title 17, 
United States Code - 

(1) shall be imprisoned not more than 3 years, fined under this title, or 
both; 

(2) shall be imprisoned not more than 5 years, fined under this title, or 
both, if the offense was committed for purposes of commercial advantage 
or private financial gain; 

(3) shall be imprisoned not more than 6 years, fined under this title, or 
both, if the offense is a second or subsequent offense; and 

(4) shall be imprisoned not more than 10 years, fined under this title, or 
both, if the offense is a second or subsequent offense under paragraph (2). 

Unauthorized Recording Of Motion Pictures In A Motion Picture Exhibition 
Facility 

10. Title 18, United States Code, Section 2319B provides, in pertinent part: 
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(a) Offense- Any person who, without the authorization of the copyright owner, 
knowingly uses or attempts to use an audiovisual recording device to transmit or 
make a copy of a motion picture or other audiovisual work protected under title 
17, or any part thereof, from a performance of such work in a motion picture 
exhibition facility, shall- 

(1) be imprisoned for not more than 3 years, fined under this title, or both; 
or 

(2) if the offense is a second or subsequent offense, be imprisoned for no 
more than 6 years, fined under this title, or both. 



(b) Forfeiture and Destruction- When a person is convicted of a violation of 
subsection (a), the court in its judgment of conviction shall, in addition to any 
penalty provided, order the forfeiture and destruction or other disposition of all 
unauthorized copies of motion pictures or other audiovisual works protected 
under title 17, or parts thereof, and any audiovisual recording devices or other 
equipment used in connection with the offense. 

Circumvention of Copyright Protection Systems 

11. Title 17, United States Code, Section 1201, provides in pertinent part: 

Section 1201. (a) Violations Regarding Circumvention of Technological 
Measures. — 

(1) (A) No person shall circumvent a technological measure that effectively 
controls access to a work protected under this title. The prohibition contained in 
the preceding sentence shall take effect at the end of the 2-year period beginning 
on the date of the enactment of this chapter. 



(2) No person shall manufacture, import, offer to the public, provide, or otherwise 
traffic in any technology, product, service, device, component, or part thereof, 
that— 

(A) is primarily designed or produced for the purpose of circumventing a 
technological measure that effectively controls access to a work protected 
under this title; 

(B) has only limited commercially significant purpose or use other than to 
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circumvent a technological measure that effectively controls access to a 
work protected under this title; or 

(C) is marketed by that person or another acting in concert with that person 
with that person's knowledge for use in circumventing a technological 
measure that effectively controls access to a work protected under this 
title. 

(3) As used in this subsection — 

(A) to "circumvent a technological measure" means to descramble a 
scrambled work, to decrypt an encrypted work, or otherwise to avoid, 
bypass, remove, deactivate, or impair a technological measure, without the 
authority of the copyright owner; and 

(B) a technological measure "effectively controls access to a work" if the 
measure, in the ordinary course of its operation, requires the application of 
information, or a process or a treatment, with the authority of the copyright 
owner, to gain access to the work. 

Penalties For Circumvention Of Copyright Protection Systems 

12. The penalties for violations of Title 17, United States Code, Section 1201, are set 
forth in Title 17 U.S. C. Section 1204, which provides in pertinent part: 

(a) In General - Any person who violates Section 1201 or 1202 willfully and for 
purposes of commercial advantage or private financial gain - (1) shall be fined not 
more than $500,000 or imprisoned for not more than 5 years, or both, for the first 
offense; and (2) shall be fined not more than $1,000,000 or imprisoned for not 
more than 10 years, or both, for any subsequent offense. 

Conspiracy 

13. Title 18 United States Code, Section 371 states, in pertinent part: 

If two or more persons conspire either to commit any offense against the United 
States, or to defraud the United States, or any agency thereof in any manner of for 
any purpose, and one or more of such persons do any act to effect the object of the 
conspiracy, each shall be fined under this title or imprisoned not more than five 
years, or both. 

Aiding and Abetting 
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14. Title 18, Unites States Code, Section 2(a) states, in pertinent part: 

(a) whoever commits an offense against the United States or aids, abets, counsels, 
commands, induces of procures it commission, is punishable as a principal. 

II. BACKGROUND OF INVESTIGATION 

A. Overview Of The Warez Conspiracy 

15. Over the past several years, teams of computer "hackers" have organized 
themselves into various domestic and international groups that became an underground Internet 
society known as the "warez" community. The leading warez groups compete against each other 
to attain the reputation as the fastest, highest quality, free provider of pirated computer software, 
including utility and application software, console games, and movies. These warez groups 
specialize in being the first to release new pirated software to the warez community for 
unauthorized reproduction and distribution. 

16. Preparing new pirated software for release and distribution to the warez 
community generally requires a number of different steps and roles for the coconspirators. First, 
an individual known as a "supplier" will post an original digital copy (also known as an ISO 
((International Standards Organization)) of new computer software to an Internet site controlled 
by a particular warez release group, also known as a "drop site." Frequently, "suppliers" may 
include company insiders who can provide final versions of new product before it is released to 
the public. Another recent supply source may include the use of audiovisual recording devices 
(such as camcorders) to make an unauthorized copy of a motion picture or other audiovisual 
work protected by the copyright laws. Once the new supply is posted to the "drop" or "drop site," 
another individual, known as a "encoder," retrieves the software and removes its copyright 
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protection controls (including technological measures designed to protect the copyrighted works, 
and other security controls, such as including serial numbers, tags, duplication controls, and 
security locks). Once successfully cracked, the software is tested and packed for final posting to 
the "drop" site, where it is picked up by couriers for rapid distribution to other warez sites 
worldwide. The entire process can occur within a matter of hours. 

17. Active participants in the release and distribution process are rewarded with 
access to private FTP sites containing large caches (often with more than one terabyte of 
storage) 2 of pirated software. These FTP sites function as virtual candy stores of pirated works, 
including application and utility software, games, movies and music. Once the user gains 
privileged access to these FTP sites, the user is able to copy and duplicate, by downloading, vast 
amounts of pirated software for personal or other uses. 

B. Distinct Roles Within The Warez Conspiracy 

18. Through experience and participation in this investigation, I have become familiar 
with the manner in which these organized groups of individuals - also known as "warez groups" 
- engage in the illegal reproduction and distribution of copyrighted works over the Internet. The 
success of any warez conspiracy depends on the roles and contributions of many coconspirators. 
Based on information obtained in the investigation, and based on my training and experience, I 
have formed the opinion that the Warez scheme and conspiracy were committed by individuals 
having distinct roles. While some members may handle multiple roles, other members may only 
be responsible for one role. Investigators learned that all members hold some responsibility in 



One terabyte equals one trillion bytes, or approximately 700,000 3.5-inch floppy diskettes. 
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keeping their warez group and site up and running. In this investigation, the distinct roles have 
included but were not limited to: leaders or founders who originally form the warez group, 
scriptors who prepared the site to function, site operators who managed the site, brokers who 
found groups to participate on the site, suppliers who had access to the movies, games, and 
software, couriers who transported the software to different sites, encoders (also known as 
"crackers" or "rippers") who circumvented the software so that it could be placed on the Internet, 
and leeches who were a member based on friendship, not group affiliation. Based on information 
obtained during the course of this investigation (including but not limited to communications by 
warez participants with the UCE), and other similar cases, and my training and experience, the 
distinct roles can be further defined as follows: 

1 9 . Founders or Leaders 

Each group has one member who created and came up with the name of the 
group. Additionally, leaders look for opportunities to "affil" with top release sites, and to look 
for additional members who could provide something of value to the group. 

Scriptors 

20. Some members of the Warez Conspiracy serve as "scriptors" and are responsible 
for scripting (create/program/build) sites which allowed groups to keep track of all of its 
members and their affiliated groups, invited guests, statistics of the members, directories, 
previewing new DVDs, keeping the site running, innovative, and provided proper security. They 
were responsible for the administration of the site. Scriptors had root access to the warez site. 

Site Operators (Siteops) 

21 . Each warez site had "site operators" ("siteops") whose function was to have root 
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access to the site and act as the administrator of the site to keep it in working order. Siteops 
typically store the software, movies or games transported by the couriers. They were the only 
individuals who knew where the site was actually located and could make decisions and changes 
to the server through remote access. The majority of the IRC conversations were held by the 
siteops and the major couriers of the groups. The siteops can also have root access to the warez 
site. 

Suppliers 

22. The supplier found an original digital copy (ISO) of a movie, game or software. 
This individual may have direct access to original movies, games or software, or has contacts, 
outside of the warez scene, who supply original copies to the supplier of a warez group. 
Frequently, the supplier either was or had access to company insiders who could provide final 
versions of new product before it was released to the public. If the supplier had an individual 
outside of the group who had agreed to provide original copies, it was found that the movies, 
games or software were obtained by paying money. 

Cammer 

23. A "cammer" uses an audiovisual recording device (such as a camcorder) to make 
a copy of a motion picture or other audiovisual work that is protected by the copyright laws. For 
example, a "cammer" may record a movie while sitting in a movie theater. The recorded movie 
is then often uploaded for distribution to other warez members on the warez site or distributed 
for sale. 

Equipment Suppliers 

24. Many members of the group provided hardware, (to include hard drives, computer 
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parts, and computer servers) to the warez site. The mission of the warez coconspirators was to 
constantly be upgrading the site to make it better than other warez sites, to be the biggest in terms 
of storage capacity, and to be the fastest. This entailed trying to secure a never ending demand 
for equipment. If a warez member contributed hardware, they were provided leech access to the 
site so they were able to upload and download as much as they wanted without a ratio restriction. 
Couriers 

25. "Couriers" are "warez" group members charged with gathering computer software 
programs, games, and movies and uploading them to the "warez" site. "Couriers" typically 
transport the pirated software to various "warez" sites on the Internet. 

Encoder/Ripper/Cracker 

26. An "encoder" (sometimes referred to as "ripper" and "cracker") is responsible for 
circumventing the technological measures and protections of copyrighted works on the DVDs to 
prevent unauthorized access and copying. The "encoder" also removes the registration 
information, copyright protections, security locks, serial numbers, and duplication controls on the 
software. The file can be ripped to reduce the total file size of the copyrighted software, which 
makes copying and downloading easier and faster. The encoder will circumvent and disable the 
work's copyright protections and determine whether it functions as it should. The role of an 
encoder could be done by a separate individual; however, the siteop, supplier, or courier may also 
perform this role. 

Leech 

27. Some group members were referred to as a "leech." These individuals mainly 
leeched movies, games, and software from the site. The leeches did not offer much to the group 
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but may have been a friend of someone or had some other affiliation that gave them access to a 
site. They are not required to fulfill the ratio of uploads/downloads and can download as much 
as they want. 

Affil 

28. An "affil" was a warez group that agreed to provide its' first release of movies, 
games, or software to a particular top site. 

C. Common Tools And Equipment Used In A Warez Conspiracy 

29. Based on my training and experience, including information that I have obtained 
from others experienced in warez investigations, and based on information obtained during the 
course of the investigation, common tools and equipment include but are not limited to: 
computers (used for distributing copyrighted works); scanners (used for replicating CD images 
for distribution), digital cameras or other digital media or image recording devices (including 
camcorders) which may be used to record movies in the theater; color printers (for replicating 
images); software for site access and operations, 3 including the encoding of movies; hardware 
(such as thumb drives or hard drives) to store the software; 4 burning tool programs and software 



3 Computer software includes any and all data, information, instructions, programs, or program 
codes, stored in the form of electronic, magnetic, optical, or other media, which is capable of 
being interpreted by a computer or its related components. Computer software may also include 
data, data fragments, or control characters integral to the operation of computer software, such as 
operating systems software, applications software, utility programs, compilers, interpreters, 
communications software, and other programming used or intended to be used to communicate 
with computer components. 

4 Computer hardware includes any electronic device capable of data processing (such as central 
processing units, laptop or notebook computers, personal digital assistants, and wireless 
communication devices); peripheral input/output devices (such as keyboards, printers, scanners, 
plotters, monitors, and drives intended for removable media); related communications devices 
(such as modems, cables and connections); storage media, defined below; and security devices, 
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(used for FTP file transfers, including but not limited to FlashFXP)); data security devices; 5 
Playstation 2 and XBox consoles (for viewing copyrighted works), cellular telephones (including 
voice mail, instant messaging), palm pilots, and personal data equipment (PDA) used for 
communications and some storing of pirated materials. It is also common for warez members to 
provide manuals or "primers" including instructional steps to encode, download, and upload 
copyrighted materials over the Internet. 

D. Northern District Of California Investigation 

30. In June 2003, the San Francisco Federal Bureau of Investigation (FBI) 
commenced its undercover operation. A cooperating witness (CW) initially provided 
background information concerning the warez scene. The CW then introduced the UCE into the 
warez scene. After the introduction, the CW had no direct involvement in the undercover 
operation. The UCE did not have any knowledge in creating a warez site, and was dependent on 
the knowledge of others who visited or joined the sites. 

Two Warez Sites: LAD and CHUD 

3 1 . The Northern District of California undercover investigation involved two 
different warez sites. The first was originally known as HOT and later named LAD. LAD was a 



also defined below. 

5 Data security devices include any devices, programs, or data, whether themselves in the nature 
of hardware or software, that can be used or are designed to be used to restrict access to, or to 
facilitate concealment of, any computer hardware, computer software, computer-related 
documentation, or electronic data records. Such items include, but are not limited to, user names 
and passwords; data security hardware (such as encryption devices, chips, and circuit boards); 
data security software or information (such as test keys and encryption codes); and similar 
information that is required to access computer programs or data or to otherwise render programs 
or data into usable form. 
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smaller site (approximately 700 megabytes early on) and eventually became an archive site, 
holding older movies, games, and software (which is currently approximately 3.5 terabytes). 
During the course of the UCO, site members decided to change the name from HOT to LAD 
after some of the members became concerned that the site was getting too well known and they 
decided to increase security and limit access. Two individuals, one identified as Danny Milnor 
(aka NITE), and Phillip Templeton (aka KryptOr), served as siteops and created the site using the 
UCE's server. Eventually, another individual, Neil Maklouf (aka blackang), who was very well 
known in the warez scene, agreed to take over and be the siteop for LAD. 

32. A second site using the UCE's storage space was created, known as CHUD, 
utilizing the expertise of additional individuals, identified as Tim Burns (aka daconnect/dact) and 
David Fish (aka xOOOx). dact and xOOOx had affiliations with some of the best sites in the United 
States and abroad. xOOOx was well known for setting up servers to be used by warez groups. 
Acting as siteop, xOOOx agreed to script the site and dact would broker introductions with top 
warez groups. CHUD allowed a very select number of top groups, domestically and 
internationally, to be an affil of the site. CHUD became an eleven terabyte site with a gigE line 
(gigE is equivalent to 1,000 megabits, whereas most sites have a 100 megabit line that allows 
data to enter and leave the site). CHUD provided a large amount of storage, but more 
importantly, was incredibly fast, and significantly faster than the LAD site. CHUD became 
known in the warez scene as one of the few top sites with gigE speed. The undercover warez site 
was located in a co-located ISP. 

33. The undercover site identified numerous coconspirators and individuals actively 
engaged in violation of federal criminal copyright laws. The undercover site was one of the top 
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"release" sites in the United States, with one of the largest directories of movies, games and 
software. Many "reputable" warez groups and their members came to the site to release their 
first copy of a pirated movie, game, or software. Investigators learned that one of the primary 
missions of the warez conspiracy was to be the first to release a particular copy of a movie, game, 
or software onto the Internet. 

34. As further described below, warez members took numerous steps to conceal and 
protect the conspiracy to violate federal copyright laws. For example, the siteops group adopted 
security measures for the warez site; limited access to the warez site to specific members; 
established separate channels for private communications between members; and used a 
barter/credit system designed to reward members and provide access to the site based on the 
contributions of the members. Investigators discovered numerous pre-released movies, which 
were placed onto the undercover warez site before the scheduled DVD release to the general 
public. As one recent example, the movie "Star Wars: Episode HI - Revenge of the Sith (2005)" 
was placed on the warez site within hours of its theatrical release to the public. 

Private Communication Channels 

35. Members of the warez scene often use "real time" software applications to 
communicate with each other online. These methods of communication include Instant 
Messenger ("DVI"), password-only Internet relay chat ("IRC"). When the warez site was created 
or a warez group was established, in order to conduct business and discuss issues regarding the 
warez scene, individuals created private IRC channels where they discussed issues regarding the 
site or just had conversations about personal business. Individuals using the IRC channels were 
permitted access by invitation only and were engaged in the illegal trafficking of copyrighted 
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material, to include movies, games, and software. The following network channels were created 
by the users of CHUD and LAD and used a secure socket layer (SSL) communication (a protocol 
for securely transmitting documents via the Internet) which would encrypt communications 
across all of the IRC channels. The IRC channels were referred to as: #chudincorporated, 

#donottell, #?vs, #!vs, #laddy, #! — ! ! !, #snowcave and #itv. Some members, such as couriers 

or suppliers, did not participate in the private IRC discussions. As the UCO progressed, 
investigators learned that some members used other methods of communication, including 
e-mail, instant messaging, and telephones. 

Security Mechanisms To Limit Access 

36. CHUD and LAD had a number of sophisticated security mechanisms to control 
access to the warez sites. Authorization and authentication of users occurred using a 
combination of screen name verification, password authentication, port variation (usually non- 
standard port numbers), and IP address verification. To be permitted access to either the CHUD 
or LAD sites, a warez member had to be invited to the site. As an example, the "invited" user 
was required to provide their IP address or a limited range of possible IP addresses (e.g, 
210.1.63.* could include a bank of IP addresses such as 210.1.63.0-210.1.63.5) which would be 
assigned for verification upon site log in, in addition to providing a personal password, a port 
number and a domain name. The warez user also had an option to encrypt their identification 
information and traffic, to further conceal their specific activities with the warez site. 

Bounce IP Addresses 

37. Based on my training and experience, and based on information obtained during 
the course of this UCO, warez groups would take additional precautions of using a bounce IP to 



AFFIDAVIT IN SUPPORT OF ISSUANCE 
OF A SEARCH WARRANT 18 



Case 1 :06-mj-00086-JMF Document 1 -2 Filed 03/02/2006 Page 1 9 of 48 

"hide" the true IP of the warez site as well as using a bounce to hide themselves. A bounce IP 
was an additional security that the siteops used to allow the authentication of users to the site. 
When a user directed his Internet browser to a specific port or IP, the bounce will prompt the user 
for his screen name and personal password. At the same time, the bounce verified the user's IP 
address to insure that it matched the IP address or range of IP addresses, that the user previously 
provided to a siteop. By checking whether a user's incoming IP address matched this 
per-authorized IP address, the bounce verified that the user really was who he says he was, and 
not just someone using the authorized user's screen name and password. Screen names (nics) 
were unique to each individual. Once this authentication process was complete, the user was 
automatically bounced to the true IP address assigned to CHUD or IAD. CHUD and LAD also 
performed a similar authentication process before the user was permitted entry into its large 
archive of software, movies, and games. Only shops with root access to CHUD or LAD knew 
the actual IP. 

Credit System and Financial Compensation 
38. For members of a warez group to be able to have access to the storage of all of the 
sites movies, they needed to supply something of value to the site. This could be in the form of 
equipment to keep the site running or software to exchange. Members received credits for every 
upload, and could download based on the size of the upload. The ratio of uploads to downloads 
is commonly one to three. For example, individuals used a credit ratio of one upload amount 
equal to three downloads (i.e. one gigabyte/three gigabytes) as a means of financial gain for the 
site. Whatever the size of one upload, allows you to download that amount times three. As 
another language, if you downloaded a movie that was one gigabyte, you could download three 
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gigabytes of other pirated software. In addition, other members paid money to individuals 
outside of the warez conspiracy (referred to as outside suppliers) to provide them with early 
releases of movies, games, or software. In some cases, outside suppliers would not require 
monetary payment if they had a personal relationship, but investigators learned that money was 
exchanged in most cases. 

Circumventing Technological Measures 
39. Many new releases for movies, software and games include technological 
measures designed to protect or limit access to copyrighted materials. For example, many DVDs 
contain an access control and copy prevention system, including a "Content Scramble System" 
(CSS). CSS serves as a technological measure to protect the contents of a DVD from 
unauthorized access and copying, which are thwarted by a scrambled image. Some warez 
members have developed abilities to circumvent these technological measures protecting the 
copyrighted content on the DVDs. Once the technological measure is circumvented, 
unauthorized access and copying can be permitted. For example, in this investigation the Motion 
Picture Association of America made a preliminary determination that circumvention tools were 
being used to bypass the technological measures designed to protect the copyrighted works, or 
movies. After conducting a preliminary analysis of some the products that had been placed on a 
server used by xOOOx that was located in the UCO ISP to encode movies and games, the MPAA 
confirmed that the following products enabled the circumvention of CSS: 
1. AnyDVD 

AnyDVD is a driver (DVD Ripper), which runs undetectable in the background and descrambles 
DVD-Movies automatically allowing you to copy CSS encrypted and copyright DVDs. 
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2. Gordian Knot 

Gordian Knot started out as a simple bitrate calculator for DivX encoding but has evolved to 
become an integrated package or tool for the entire process of DivX/XviD encoding. 

3. DVD2SVCD 

DVD2SVCD combines many programs together: vStrip to rip the DVD (best ripper around), 
DVD2AVI to create a DVD2AVI project, Mpeg2dec and Avisynth for the fastest frameserving 
from DVD2AVI to CCE, BeSweet for high quality audio processing, video encoding in CCE, 
TMPG or Procoder, then applying pulldown flag in case of an NTSC video, multiplexing video 
and audio using bbMPEG and finally creating SVCD images for burning using VCDImager. 
Furthermore DVD2SVCD supports multiple audio streams and selectable subtitles (the latter 
only works on standalone players). The program comes as a complete package that contains all 
the free softwares required. You only have to add CCE SP or TMPG. 

4. DVD Decrypter 

DVD Decrypter is a highly versatile VOB-ripping utility. The software takes advantage of both 
the DeCSS Plus and VobDec algorithms for looking up and decrypting the CSS encryption. DVD 
Decrypter is also multi- angle aware, and capable of removing the Macrovision scrambling key, 
as well as the region code during the ripping process. 

5. DVD Shrink 

DVD Shrink is software to backup DVD discs. You can use this software in conjunction with 
DVD burning software of your choice, to make a backup copy of any DVD video disc. 
DVD Shrink will also burn your backup DVD, if you have installed the latest version of Nero. 
You can download a demo version of Nero here. If you already possess alternative burning 
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software and prefer to stick with it, then you can still use DVD Shrink. The output from DVD 
Shrink can be saved as files on your hard drive, which you can then burn with software of your 
choice. 

6. DVD2AVI 

DVD2AVI is actually about the best application there is for decoding a DVD. However, it would 
appear that it has too few options to make a good quality movie. For example, you cannot just 
crop and resize the video. To do this you must frameserve your movie first to other applications 
such as TMPGEnc. Neither does it have MP3 audio support or IFO parsing like Flask Mpeg. It 
was also slightly slower than both Flask and Mpeg2avi. But since everyone now wants to make 
movies from DVD using Nandub it has become necessary to introduce this method because its by 
far the easiest way to decode a movie to Nandub. 

7. VirtualDubMod 

VirtualDubMod is based on the famous video editing software VirtualDub by Avery Lee. Born as 
a unification of several existing modifications, a lot of new features have been added, including 
support for the matroska container format. 
Camcorder Movies 
40. The undercover investigation confirmed that some warez members obtained and 
supplied camcorder copies of recently released movies. The UCE found through IRC chats, that 
some individuals (or "cammers") were tasked to go into movie theaters to make unauthorized 
recordings of movies, concealing equipment that was skillfully hidden in their clothes. The 
equipment was designed to record the movie while remaining very still to get the best recording. 
To obtain the best sound quality, some warez members would use the audio headphones 
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provided for the hearing impaired to minimize audience and theater sounds. In addition, these 
members would get individuals to sit in front of them so that they could guarantee no one would 
stand up in front of them during the movie. Some examples of the camcorder movies uploaded 
to the undercover warez site include "The Pacifier," "Monster in Law," and "A Beauty Shop." 
According to IRC communications, the individuals making the unauthorized theatrical recording 
were financially compensated for obtaining the copies of the movies. The unauthorized copy was 
then provided to others for manufacture for sale on DVDs. 
Additional Servers 

41 . Throughout the undercover operation, warez members provided equipment to 
store copyrighted materials from other warez groups. Some of the equipment included computer 
servers and hard drives, along with other computer equipment. Three of the servers became 
known as "SNOWCAVE," "VS" and "Centropy" (aka CTP). 

SNOWCAVE Server 

42. In April 2005, an individual known as fatboy mailed to the UCE two servers that 
he used to house pirated copies of movies, games, and software for the UCE to place in the UCO. 
The servers were known as SNOWCAVE. To date, SNOWCAVE has approximately 3.5 
terabytes of stored movies, games, and software. 

43. Investigators compiled a directory list from the log of new movie titles that had 
been uploaded to SNOWCAVE and provided the list to the Motion Picture Association of 
America (MP A A) for analysis. MPAA confirmed in writing that its member organizations held 
copyrights to 149 of these movies. Many of these movies were uploaded to SNOWCAVE either 
before or at the time that the movie was being shown in U.S. theaters. 
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44. SNOWCAVE did not contain any games on the server at the time a directory list 
was obtained. 

45. A directory list from the log of software from SNOWCAVE was provided to the 
Business Software Association (BSA) for confirmation that copyrights existed for the titled 
software applications. BSA confirmed in writing that its member organizations held copyrights 
to 148 of these software applications totaling $132,686.40. 

VS Server 

46. In addition to housing two servers CHUD and LAD, CHUD being a top release 
site, members of the group BOOZERS approached the UCE and asked if they could house their 
server, VS (Victoria Secret) in his co-located space. The agreement was that any movie or game 
released to their site would be released to CHUD as one of their top release sites. It was the 
intention of VS to affil several warez groups and not limit the server to only one group. To date, 
VS has approximately 9 terabytes of stored movies, games, and software. 

47. Investigators compiled a directory list from the log of new movie titles that had 
been uploaded to VS and provided the list to the Motion Picture Association of America 
(MPAA) for analysis. MPAA confirmed in writing that its member organizations held 
copyrights to 480 of these movies. Many of these movies were uploaded to VS either before or 
at the time that the movie was being shown in U.S. theaters. 

48. A directory list from the log of games from VS was provided to the Entertainment 
Software Association (ESA) for confirmation that copyrights existed for the titled computer 
game entries. ESA confirmed in writing that its member organizations held copyrights to 988 of 
these games totaling $17,548.20. 
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49. A directory list from the log of software from VS was provided to the Business 
Software Association (BSA) for confirmation that copyrights existed for the titled software 
applications. BSA confirmed in writing that its member organizations held copyrights to 97 of 
these software applications totaling $193,390.86. 

Centropy (aka CTP) 

50. In April 2005, an individual known as "guyzzz" contacted the UCE and stated that 
a group, known as Centropy (aka CTP) agreed to affil CHUD. The agreement was to build a 
separate server that would be placed into the UCO for CTP that they could use in agreement for 
placing their first release of movies, games, and software onto CHUD. "so i TALKD with CTP, 2 
guys, and DON'T TELL dact this, one guy lievs liek 25 miles form me, and, We went to the same 
shcool, junior high, samll world, i todl them i woudltn give +1 but i just out of the blew on fine 
told him i coudl buld a box for them and they said yes. they get root on it and NO ONE can be on 
site excpet you and me. and inorder to hide it, they will GUEST on VS and pre every release on 
VS so it doesn't LOOK like they got a new site." To date, the combined servers, CHUD, LAD, 
VS, and SNOWCAVE, contain approximately 27 terabytes of pirated movies, games, and 
software. 

5 1 . Once a user is logged on to CHUD, IAD, VS, SNOWCAVE or CTP, each server 
has the capability to record (or log) the names of all files uploaded or downloaded by the user 
and the IP address of the computer sending or receiving the transfers. The movies, games, and 
software are constantly being uploaded and downloaded from the site by multiple users and many 
movies, games, and software are deleted if they need to make room for more current copies or 
because the copy they have is poor quality. 
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Copyrighted Materials 

52. Once a user is logged onto the warez sites CHUD or LAD, it recorded (or logs) 
the names of all files uploaded or downloaded by the user and the IP address of the computer 
sending or receiving the transfers. To date, CHUD contains more than 2,500 titles of movies, 
computer software and game, comprising more than 1 1 terabytes of electronic file data. Titles of 
movies, games, and software are constantly being uploaded and downloaded from the warez 
sites. 

53. Investigators compiled a directory list from the log of new movie titles that had 
been uploaded to CHUD and LAD and provided the list to the Motion Picture Association of 
America (MPAA) for analysis. MPAA confirmed in writing that its member organizations held 
copyrights to 766 of these movies. Many of these movies were uploaded to CHUD either before 
or at the time that the movie was being shown in U.S. theaters. 

54. Directory lists from the games from CHUD and LAD were provided to the 
Entertainment Software Association (ESA) for confirmation that copyrights existed for the titled 
games. ESA confirmed in writing that its member organizations held copyrights to 1, 283 of the 
games, totaling approximately $20,981.69. 

55. A directory list from the log of software from CHUD and LAD was provided to 
the Business Software Association (BSA) for confirmation that copyrights existed for the titled 
software applications. BSA confirmed in writing that its member organizations held copyrights 
to 188 of the software applications, totaling approximately $389,101.82. 

Operation Site-down 

56. On June 28, 2005, the Honorable Richard Seeborg signed search warrants in the 
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Northern District of California for the residences of Chirayu Patel and Ryan Zeman. Patel was 
involved as the SiteOp and owner for the warez server VS. 

57. On June 28, 2005, the Honorable Richard Seeborg signed arrest warrants in the 
Northern District of California for four individuals involved in the warez conspiracy. Two 
individuals, William Veyna and Chirayu Patel, acted as SiteOps for the warez server VS. 

58. On June 29, 2005 the San Francisco Division, with the help of dozens of other FBI 
divisions throughout the nation, executed 4 arrests warrants, 30 search warrants and numerous 
interviews for this operation.. The interviews gleaned vital information regarding the warez 
conspiracy and the FTP servers that individuals and groups utilized to move copyrighted material 
throughout the internet. The search warrants netted over 150 computers and hard drives, 
thousands of illegally obtained CDs, SVCDs and DVDs. 

59. Search warrants were also executed by the Royal Canadian Mounted Police (RCMP) 
on five Canadian warez members. One individual that the RCMP searched was responsible for 
building and sending the server SNOWCAVE. This individual was also the SiteOp for the 
warez server SNOWCAVE. 

60. Prior to the execution of the warrants the site that all the servers were kept was taken 
offline in order to preserve all evidence, including but not limited to user logs, xferlogs (a log 
that tracks what files are transferred throughout the server) and movie directories. 

61. On July 12, 2005, a Federal Grand Jury in the Northern District of California indicted 
four members of the warez conspiracy—GJ investigation No 2003R00650. Two of these 
members, William Veyna and Chirayu Patel, were site operators on the warez server VS. 

62. On August 3, 2005, a Federal Grand Jury in the Northern District of California 
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indicted one individual involved in the warez conspiracy. This individual was camming films in 
a movie theater in vicinity of Saint Louis, Missouri. 

63. On November 16, 2005, a Federal Grand Jury in the Northern District of California 

indicted 5 members of the warez conspiracy with violations of federal copyright laws, including 

Moises Nunez, Stephen Brown, Oscar Martinez, Paul Aleman, and Deston Evans. 

E. Summary of Evidence and Probable Cause to Subjects Computers and Warez 
Co-conspirators 

1. Probable Cause to search computers used by RAY MORADA while employed at 
Georgetown University [Nic:rc51] 

64. I believe there is probable cause to believe that Ray Morada, using the FTP account 
rc51, committed multiple violations of criminal copyright and conspiracy laws (as defined in 
Section 1(C)), and that evidence of those violations is located at School of Nursing and Health, 
105 Saint Mary's Hall, Georgetown University, Washington, D.C. Specifically, we have the 
following evidence that the FTP account nic belong to FTP user account rc5 1 . Specifically, we 
have records from the UCO site and the ISP that state rc5 1 downloaded illegally copyrighted 
material. 

65. A query and examination of the log files of servers CHUD for the time period of 
February 2005 to May 2005 indicate that an individual with the FTP user name rc51 using IP 
masks IP *@141.161.225.* downloaded 21 computer software programs, 36 video games, and 
107 movie titles. Morada has downloaded over 400 gigabytes of computer software, games, and 
movies from CHUD. The CHUD FTP logs state that the user account rc5 1 downloaded the 
following movie (the o means output): 

6/27/2005 8:29:43 -141.161.225.79/Bewitched/o/rc51 
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Examples of the computer software, movies and video games that Morada downloaded from 

CHUD included the following titles: 

Be Cool - Film 

Meet The Fockers - Film 

Blade Trinity - Film 

Fantastic 4- Software game 

SWAT 4 - Software game 

Adobe Creative Suite 2 Premium - Software 

Avid Alien Brain Studio- Software 

66. The log files captured the IP addresses assigned to the computer from which Morada 
downloaded files. Georgetown University officials, Dave Morrell - Vice President of University 
Safety, Rob Walters - Legal Services Coordinator, and Kathryn Baerwald - Georgetown 
University Legal Counsel stated that the university was able to identify the user of IP 
141.161.225.79 as Ray V Morada, Systems Manager, School of Nursing and Health, 105 Saint 
Mary's Hall, Room 208, Georgetown University. Since the accounts currently download using 
the aforementioned IP there was probable cause to believe evidence of the crime will be located 
on the computers he used while employed at Georgetown University. 

67. On November 17, 2005, Georgetown University contacted Special Agent Julia B. 
Jolie of the FBI to advise that they had located what appeared to be a weapon in the office of Ray 
Morada. Morada was placed on administrative leave pending an investigation. The Georgetown 
University Campus Police were called in to investigate. 

68. Jim Ward, Associate University Counsel, also advised that they had removed the 
computer where the following IP had been used for downloading copyrighted media, 
141.161.225.79. The removal was pursuant to their receipt of a Preservation Request under the 
provisions of Title 18, United States Code, Section 2703 (f)(1) by the FBI. In addition to the 
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computer that the FBI had indicated in the preservation letter, Ward advised that three other 
computers were seized that had been located in Morada's office. Ward advised that a 
Georgetown University technician, in a preliminary examination of one of the computers, found 
that the computer server appeared to be a gaming machine which had games, amount unknown, 
stored on its hard drive. The computers were listed as follows: 

1. XPS Blue Dell CPU, S/N G2WH451 (Preserved as requested) 

2. Optiplex black Dell CPU, S/N 28LKJ41 

3. Sony VIAO CPU, S/N 28580130 

4. CoolerMaster silver CPU, no S/N (Preliminary review, appeared to hold copyrighted games ) 

69. A preliminary computer forensic review was also completed by Department of 
Public Safety technician, David Smith, on the Optiplex Dell S/N 28LKJ41. It was the 
technician's conclusion that the computer was used exclusively for entertainment purposes, 
specifically for recording CDs and DVDs of copyright and pornographic material. A directory 
listing was made which indicated the computer contained a large number of movies, games, and 
software. A Preservation Request under the provisions of Title 18, United States Code, Section 
2703 (f)(1) were immediately sent by the FBI concerning the additional computers located. 

70. On December 7, 2005, Jim Ward contacted SA Julia B. Jolie to advise that Ray 
Morada had been terminated from Georgetown University. As part of the investigation pending 
Morada's termination, an inventory of Morada's office was conducted. Daryl Harrison, 
Georgetown University Campus Police, conducted the inventory and interviewed Ray Morada at 
that time. During the inventory, multiple items were confiscated that appeared to be copyrighted 
media to include the following: DVDs and CDs that had been downloaded, a gaming keyboard, 
media burning materials. 
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71. At the time of the inventory, Morada was interviewed regarding the items that 
appeared to relate to copyright violations. During the interview with Harrison, Morada admitted 
to using University computers to download DVDs during work hours. 

72. Georgetown University's Legal Counsel has indicated that, if served with a lawful 
search warrant, Georgetown will turn over the items confiscated pursuant to Georgetown's own 
internal investigation as described in the above paragraphs. 

F. Summary of Relevant Computer and Internet Concepts 

73. Based on my training and experience working computer crime, below is a list of 
terms and definitions that are commonly used to describe computer protocols and Internet 
concepts. 

DVD (Digital Versatile Disc) 

74. DVD, originally known as Digital Video Disc but more formally known as a 
"digital versatile disc," is a high capacity optical disc storage technology medium. DVD can 
typically store from four to twenty-eight times as much data as a Compact Disc (CD). DVDs are 
a common storage medium for copyrighted materials, including but not limited to movies, 
games, and software. 

Domain Name System 

75. Numerical IP addresses generally have corresponding domain names. For 
instance, IP address 255.1.63.1 15 resolves to the corresponding domain name "cybercrime.gov." 
The Domain Name System (DNS) is an Internet service that maps domain names. This mapping 
function is performed by DNS servers located throughout the Internet. In general, a registered 
domain name should resolve to a numerical IP address. 
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File Transfer Protocol 

76. File Transfer Protocol (FTP) is a communication protocol for transferring both 
text and binary files between computers connected to the Internet. Protocols in a networking 
environment define the rules and procedures for transmitting data. These protocols are required 
to enable communications between computers. 
FTP Site and FTP Server 

11. FTP site and FTP server generally refer to computers connected to the Internet 
that serve as large storage databases for software or other digital files. Users can upload or 
download software and other digital files through the FTP protocol. In the warez scene, FTP 
sites are most often used to store, distribute and trade illegal warez. These sites are not 
accessible to the general public. Access to warez FTP sites are typically controlled through a 
variety of security mechanisms. For example, a user is typically required to log onto an FTP site 
using a screen name and password approved by one of the site's system administrators. In 
addition, part of the final level of authentication, which is done automatically, requires the user to 
access the server from IPs they specifically supplied. Should a user try to download or upload 
software using a different IP that they have on file, they will be denied access. 
Internet 

78. Internet is a collection of computers and computer networks which are connected 
to one another via high-speed data links and telephone lines for the purpose of communicating 
and sharing data and information. Connections between Internet computers exist across state and 
international borders; therefore, information sent between two computers connected to the 
Internet frequently cross state and international borders even when the two computers are located 
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in the same state. 

Internet Protocol Address (IP address) 

79. The IP address is a unique numeric address used to identify computers on the 
Internet. An IP address looks like a series of four numbers, each in the range of 0-255, separated 
by periods (e.g. 210.1.63.155). Every computer (or group of computers using the same account to 
access the Internet) attached to the Internet must be assigned an IP address so that Internet traffic 
sent from and directed to that computer is directed properly from its source to its destination. An 
IP address acts much like a home or business street address - it enables Internet sites to properly 
route traffic to each other. There are two types of IP addresses - dynamic and static. A static IP 
address is one that is permanently assigned to a given computer on a network. ISPs often assign 
static IP addresses to cable and DSL customers. With dynamic IP addressing, however, each 
time a computer establishes an Internet connection, that computer is assigned a new IP address. 
Thus, each time an AOL customer dials into the AOL network and establishes an Internet 
connection, the customer is randomly assigned an IP address from the block of IP addresses 
controlled by AOL. When the customer ends the AOL session, the temporarily assigned IP 
address is placed back into the pool of IP addresses available for temporary assignment to other 
AOL subscribers. However, we have found that if a subscriber uses their computer to connect to 
the Internet several times in one day, the ISP will likely assign the same IP to that computer. 

Internet/Instant Relay Chats (IRC) 

80. Internet/Instant Relay Chats (IRC) is a service on the Internet by which users 
communicate in real time. There are thousands of IRC channels or discussion forums, in which 
participants engage in the online equivalent of a part-line conversation, with the response time 
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limited only by one's typing speed. Most IRC chat rooms are open to the public; access to private 
IRC rooms are restricted by password protection and other security mechanisms. Warez groups 
generally maintain restricted access, password protected, IRC channels for closed discussions 
among group members and other warez associates. Should any individuals want to have a 
private conversation outside of the private IRC group channel, they can remain in IRC, but go to 
a private chat session with a few individuals. Once the session is over, they go back to the 
private group IRC chat and continue to talk with the entire group. 

ISO (International Standards Organization standardized format) 

8 1 . Pirated computer software generally is first supplied to a Warez group as an 
original electronic copy or ISO (International Standards Organization standardized format). The 
warez group then "cracks" or "encodes" the ISO version to remove serial numbers, tags, 
duplication controls, security locks, and other copyright protection controls. Sometimes these 
cracked ISOs are also "ripped" to remove all files or program add-ons that are not essential to the 
core functionally and utility of the software program itself. A rip will reduce the total file size of 
the software, which makes copying and downloading easier and faster. Ripping has become less 
common due to computer games have become more complex, require a greater amount of disc 
space and have become more difficult to rip into smaller file sizes. With higher speed Internet 
access available to more people, ISO is becoming the preferred format. 

Internet Service Providers (ISP) 

82. Most individuals and businesses obtain access to the Internet through businesses 
known as ISPs. AOL, Microsoft (MSN), and Earthlink are some of the larger and better known 
ISPs. Among other services, ISPs provide their customers with access to the Internet using 
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telephone, cable, Digital Subscriber (DSL), or other telecommunications lines. 
Log Files 

83. Log Files are computer files containing information regarding the activities of 
computer users, processes running on a computer and the activity of computer resources such as 
networks, modems, and printers. The files can generate transfer logs that capture information 
about each FTP file transfer, the date, time, name of file, direction of transfer (upload or 
download), individual's nickname, and IP address of the computer initiating the transfer of the 
file. 

Nickname (or "Nic") 

84. A "nickname," commonly referred to as "nic," is the on-line computer screen 
name/identity used by a person during a communication session. These screen names need not 
have any relation to the user's true name or identity, but they are constant forms of online identity 
that members of the warez community rely upon to identify each other. 

Ports 

85. All computers connected to the Internet have 65,535 available ports through 
which electronic communications may enter or exit, depending on the computer's configuration. 
There are agreed-upon standard ports used for common types of communications. For instance, 
most computers are configured to send and receive web messages on port 80; e-mail traffic on 
port 55; and file transfers via the FTP protocol on port 21 . One method used by Warez groups to 
hide their activity is to use non-standard ports for their communications and file transfers. For 
instance, whereas file transfers normally occur on port 21, warez groups coming into warez sites 
will configure their computer sites to conduct file transfers of copyrighted software, movies, and 
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games to uncommon ports such as 444, 7707, 8066, 42185 and 43758. 
Racing 

86. Racing refers to the speed in which a warez member can upload a movie, game or 
software to the warez site. Warez members try to "race" to demonstrate who is the fastest 
uploader. Individuals with the fastest bandwidth connection will upload more files during the 
race, thereby giving them a greater amount of credits (amount of size uploaded) to apply to their 
ratio for downloading. 

Release Formats 

87. There are several different release formats, including: 

A. VCD - VCD is an mpegl based format, with a constant bit rate of 

1 150kbit at a resolution of 352x240. VCDs are generally used for lower quality transfers in 
order to make smaller file sizes, and fit as much on a single disc as possible. 

B. SVCD - SVCD is an mpeg2 based (same as DVD) which allows variable 
bit rates of up to 2500kbits at a resolution of 480x480 which is then decompressed. Due to the 
variable bit-rate, the length you can fit on a single CD-R is not fixed, but generally between 
35-60 minutes. 

C. DVD-R - DVD-R is the recordable DVD solution that seems to be the 
most popular out of DVD-RAM, DVD-R, and DVD+R. It holds 4.7gigabit of data per side, and 
double sided discs are available, so disks can hole nearly lOgb in some circumstances. 

D. DivX - DivX is the brand name of the world's most popular video 
compression technology. It is a piece of software that compresses video from virtually any 
source down to a size that is transportable over the Internet without reducing the original video's 
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visual quality. You can compress a VHS tape down to one-hundredth of its original size of a 
DVD to one tenth of its size. You can take any digital video content and save it on CDs to share 
or store it on a computer's hard drive without spending huge amounts on extra storage. 
Root Access 

88. Root access provides complete administrator access to all files and services on the 
computer. 

Sites: Top Site, Drop Site and Archive Site 

89. Warez groups will release new software, games, or movies to several different 
sites, depending on what "stage" it is in. The movie, game or software is initially sent to a "drop 
site" where it must be taken through various stages (cracking, (encoding), testing, and packing) 
before it can be uploaded onto the Internet. Each warez group has their own server where any 
member of the group can preview the item first. Once it is available to be downloaded onto the 
Internet, the item is then sent by a courier to a "top site" where they "pre" or "release" their 
pirated computer software first. A top site is known for its speed and ability to upload and 
download software quickly. Whichever group gets the movie, game, or software released to a 
top site first, wins the first release for that item. After its release to the top site, the movie, game, 
or software is then distributed to "archive sites" where other multiple groups have access and can 
upload and download any item. An archive site may not require the speed of a top site, but it 
contains a large amount of storage space housing thousands of copies of ripped an/or cracked 
utility software, games, movies, MP3, and TV shows. One of the benefits of the warez group 
membership is gaining unrestricted access to the group's archive sites. 

Types Of Access (Ratio Access Or Leech Access) 
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90. There are different types of access which allows individuals to download movies, 
games and software. A warez member with "ratio access" refers to an upload and download 
ratio. The most common ratio is one to three, permitting the warez member to download pirated 
material under a one to three ratio. For example, under this ration, the warez member is required 
to supply one upload which enables the member to obtain three downloads (i.e. one 
gigabyte/three gigabytes). This serves as a form of private financial gain. A warez member with 
"leech access" is able to download an unlimited amount of copyrighted works and is not 
required to fulfill the ratio of uploads to downloads. 
Video Formats 
91. There are several video formats, including: 

A. CAM - A cam is a theater rip, usually done with a digital camera. A mini 
tripod is sometimes used, but a lot of the time this will not be possible. The camera is usually 
held by the person in their seat so the camera may shake. Sound is taken from the onboard 
microphone of the camera, and laughter can often be heard during the film from the audience. 
They are generally poor in quality. (VCD format). 

B. TELESYNC (TS) - A telesync is the same specifications as a CAM except 
it uses an external audio source (most likely an audio jack in the chair for hearing impaired 
persons.) The telesync is filmed in an empty theater or from the projection booth with a 
professional camera, giving a better picture quality. (VCD format) 

C. TELECINE (TC) - A telecine machine copies the film digitally from the 
original film reels. Sound and picture are very good. True TCs are very rare due to the 
equipment required to produce them is very expensive. (SVCD or DVD-R format). 
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D. SCREENER (SCR) - A screener is a pre VHS tape, sent to rental stores, 
hotels, and various other places for promotional use. If the tape contains any serial numbers, or 
any other markings that could lead to the source of the tape, these will be blocked, usually with a 
black mark over the section. Quality can be fair to good. (VCD or SVCD format) 

E. DVD SCREENER (DVDscr) - A DVDscr is like a screener except that it 
is transferred off a DVD. It usually does not contain the extra items that a DVD retail copy 
would contain. Quality is good to excellent. (SVCD of DVD-R format) 

F. DVDRip - DVDrip is a copy of the final released DVD, excellent quality. 
(SVCD or DVD-R format) 

G. VHSRip - A VHSrip is transferred off a retail VHS, mainly sports videos 
and XXX releases, good to very good quality. (VCD of SVCD format) 

H. WORKPRINT (WP) - A workprint is a copy of the film that has not been 
finished. It can be missing scenes, music, and quality can range from excellent to very poor. 
(VCD format) 

Warez 
92. "Warez" and "pirated computer software" are terms used to describe copyright- 
protected computer software which is distributed over the Internet in violation of copyright law. 

Warez Group 
93. "Warez group" refers to an organized group of individuals who engage and 
conspire in the duplication and reproduction of copyrighted software over the Internet in 
violation of copyright laws. "Warez groups" are highly structured, hierarchal organizations of 
individuals organized for the purpose of duplication and reproduction of copyrighted computer 
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software, movies and games in violation of federal copyright law. " Warez" groups communicate 

and transfer their pirated goods almost exclusively over the Internet. "Warez" group leaders 

typically reward the various members of their organization for their contributions by allowing 

them free access to sites where the finished product pirated software is stored. "Warez" groups 

are organized according to the role fulfilled by the individual "warez" participant in that group at 

that time. 

III. EVIDENCE, CONTRABAND, FRUITS, AND INSTRUMENTALITIES OF THE 
CRIME 

94. Based on my experience and information that I have obtained from others 
experienced in such investigations, I have learned that warez scene members typically maintain 
at their residence or place of business various pieces of computer hardware; computer software; 
computer storage media; computer records; paper and electronic notes regarding software piracy; 
and paper and electronic correspondence with others who engage in software piracy, within the 
meaning of Title 18, United States Code, Section 2319 and Title 17, United States Code, Section 
506 (Criminal copyright infringement); Title 18, United States Code, Section 2319B 
(Unauthorized recording of Motion pictures in a Motion picture exhibition facility); Title 17 
United States Code, Section 1201 (Circumvention of copyright protection systems) and Section 
1204 (Criminal offenses and penalties); Title 18 United States Code, Section 371 (Conspiracy to 
commit the foregoing offenses), and Section 2 (Aiding and Abetting the foregoing offenses). 

95. I have also learned that individuals who participate in copyright infringement 
through the warez scene often transfer or copy their illegally obtained computer software, games, 
and movies to computer storage media and other electronic systems that are not connected to the 
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Internet. This is usually done to facilitate ease of use. Whether stored on a computer system 
connected to the Internet or on any other type of computer storage media, such illegally obtained 
computer software, games, and movies are routinely kept and collected by warez participants for 
many months or even years. This is often done because the warez participant wants to be able to 
reinstall the software or media whenever convenient, or because he or she wants to use those 
titles to trade for other software and media. In addition, I have learned that, even if illegally 
obtained software is later deleted by a warez participant, the computer system that was previously 
used to store that software often retains evidence of the offense. This is because files deleted by 
the user may still remain (in whole or in part) on the storage media, as deletion of a file may not 
remove that data completely from the media. 

96. Based upon my knowledge, training, and experience, as well as information 
related to me by agents and others involved in the forensic examination of computers, I know 
that computer data can be stored on a variety of systems and storage devices. I also know that 
during the search of computers it is rarely possible to complete on-site examination of computer 
equipment and storage devices for a number of reasons, including the following: 

a. Searching computer systems is a highly technical process which requires specific 
expertise and specialized equipment. There are so many types of computer hardware and 
software in use today that it is rarely possible to bring to the search site all of the necessary 
technical manuals and specialized equipment necessary to conduct a thorough search. In 
addition, it may also be necessary to consult with computer personnel who have specific 
expertise in the type of computer, software application or operating system that is being searched. 

b. The best practices for analysis of computer systems and storage media rely on rigorous 



AFFIDAVIT IN SUPPORT OF ISSUANCE 
OF A SEARCH WARRANT 41 



Case 1 :06-mj-00086-JMF Document 1 -2 Filed 03/02/2006 Page 42 of 48 

procedures designed to maintain the integrity of the evidence and to recover hidden, mislabeled, 
deceptively-named, erased, compressed, encrypted, or password-protected data while reducing 
the likelihood of inadvertent or intentional loss or modification of data. A controlled 
environment, such as a law enforcement laboratory, is typically required to conduct such an 
analysis properly. 

c. The volume of data stored on many computer systems and storage devices will 
typically be so large that it will be highly impractical to search for data during the execution of 
the physical search of the premises. The hard drives commonly included in mere desktop 
computers are capable of storing millions of pages of text; the storage capacity of warez FTP 
servers is typically much greater. 

97. Due to the volume of data at issue and the technical requirements set forth above, 
may be necessary that the above-referenced equipment, software, data, and related instructions be 
seized and subsequently processed by a qualified computer specialist in a laboratory setting. 
Under the appropriate circumstances, some types of computer equipment can be more readily 
analyzed and pertinent data seized on-site, thus eliminating the need for its removal from the 
premises. One factor used in determining whether to analyze a computer on-site or to remove it 
from the premises is whether the computer constitutes an instrumentality of an offense and is 
thus subject to immediate seizure as such or whether it serves as a mere repository for evidence 
of a criminal offense. Another determining factor is whether, as a repository for evidence, a 
particular device can be more readily, quickly, and thus less intrusively, analyzed off-site, with 
due considerations given to preserving the integrity of the evidence. This, in turn, is often 
dependent upon the amount of data and number of discrete files or file areas that must be 
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analyzed, and this is frequently dependent upon the particular type of computer hardware 
involved. As a result, it is ordinarily impossible to appropriately analyze such material without 
removing it from the location where it is seized. 

98. Based upon my knowledge, training, and experience, as well as information 
related to me by agents and others involved in forensic examination of computers, I am aware 
that searches and seizures of evidence from computers taken from the premises commonly 
require agents to seize most or all of a computer system's input/output and peripheral devices, in 
order for a qualified computer expert to accurately retrieve the system's data in a laboratory or 
other controlled environment. Therefore, in those instances where computers are removed from 
the premises, in order to fully retrieve data from a computer system, investigators must seize all 
the storage devices, as well as the central processing units (CPUs), and applicable keyboards and 
monitors which are an integral part of the processing unit. If, after inspecting the input/output 
devices, system software, and pertinent computer-related documentation, it becomes apparent 
that these items are no longer necessary to retrieve and preserve the data evidence, and are not 
otherwise seizeable, such materials and/or equipment will be returned within a reasonable time. 

Analysis of Electronic Data 

99. The analysis of electronically stored data, whether performed on-site or in a 
laboratory or other controlled environment, may entail any or all of several different techniques. 
Such techniques may include, but shall not be limited to, surveying various file directories and 
the individual files that they contain (analogous to looking at the outside of a file cabinet for the 
markings it contains and opening a drawer capable of containing pertinent files, in order to locate 
the evidence authorized for seizure by the warrant); examining all the structured, unstructured, 
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deleted, and overwritten data on a particular piece of media; opening or reading the first few 
pages of such files in order to determine their precise contents; scanning storage areas to discover 
and possibly recover recently deleted data; scanning storage areas for deliberately hidden files; 
and performing electronic key- word searches through all electronic storage areas to determine 
whether occurrences of language contained in such storage areas exist that are intimately related 
to the subject matter of the investigation. 

IV. REQUEST FOR SEALING 

100. Since the investigation is continuing, your affiant requests that this search warrant 
affidavit be sealed until such time as the Court directs otherwise. Disclosure of the search 
warrant affidavit at this time would seriously jeopardize the ongoing investigation, as such 
disclosure may provide an opportunity to destroy evidence, change patterns of behavior, notify 
confederates, or allow confederates to flee or continue flight from prosecution. The investigation 
in this matter is continuing and it is anticipated that additional search warrants may be executed 
at other locations in the near future. 

V. CONCLUSION 

101 . Based on the information outlined above, the undersigned submits that there is 
probable cause to believe that the items identified in Attachment A have been used in the 
commission of a crime and constitute evidence, contraband, fruits, or instrumentalities of 
violations of Title 18, United States Code, Section 2319 and Title 17, United States Code, 
Section 506 (Criminal copyright infringement); Title 18, United States Code, Section 2319B 
(Unauthorized recording of Motion pictures in a Motion picture exhibition facility); Title 17 
United States Code, Section 1201 (Circumvention of copyright protection systems) and Section 
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1204 (Criminal offenses and penalties); Title 18 United States Code, Section 371 (Conspiracy to 
commit the foregoing offenses), and Section 2 (Aiding and Abetting the foregoing offenses), and 
will be found on the computers to be searched. 



Stephen K. Schmidt 

Special Agent 

Federal Bureau of Investigation 



Subscribed and sworn to before me this day of March, 2006. 



HONORABLE 

UNITED STATES MAGISTRATE JUDGE 
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Attachment A 

Computers to be searched and items to be seized 

Items evidencing violations of Title 18, United States Code, Section 2319 and Title 17, 
United States Code, Section 506 (Criminal copyright infringement); Title 18, United States 
Code, Section 2319B (Unauthorized recording of Motion pictures in a Motion picture exhibition 
facility); Title 17 United States Code, Section 1201 (Circumvention of copyright protection 
systems) and Section 1204 (Criminal offenses and penalties); Title 18 United States Code, 
Section 371 (Conspiracy to commit the foregoing offenses), and Section 2 (Aiding and Abetting 
the foregoing offenses), including but not limited to the following: 

1 . Computer files protected by copyright, including but not limited to software, game, movie 
and music titles. 

2. Computer log files relating to copyright infringement, including but not limited to transfer 
logs of FTP uploads and downloads. 

3. Computer files containing communications between individuals relating to copyright 
infringement, including but not limited to IRC and instant messaging logs, and e-mails. 

4. Programs or software used by those engaging in copyright infringement, such as burning 
tool programs and software used for FTP file transfers (e.g. FlashFXP). 

5. Records, in whatever form, of user names and passwords to warez sites and secure 
communication services. 

6. Computer hardware, meaning any and all computer equipment. Included within the 
definition of computer hardware is any electronic device capable of data processing (such as 
central processing units, laptop or notebook computers, personal digital assistants, and wireless 
communication devices); peripheral input/output devices (such as keyboards, printers, scanners, 
plotters, monitors, and drives intended for removable media); related communications devices 
(such as modems, cables and connections); storage media, defined below; and security devices, 
also defined below. 

7. Computer software, meaning any and all data, information, instructions, programs, or 
program codes, stored in the form of electronic, magnetic, optical, or other media, which is 
capable of being interpreted by a computer or its related components. Computer software may 
also include data, data fragments, or control characters integral to the operation of computer 
software, such as operating systems software, applications software, utility programs, compilers, 
interpreters, communications software, and other programming used or intended to be used to 
communicate with computer components. 
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8. Computer-related documentation, meaning any written, recorded, printed, or electronically 
stored material that explains or illustrates the configuration or use of any seized computer 
hardware, software, or related items. 

9. Data security devices, meaning any devices, programs, or data, whether themselves in the 
nature of hardware or software, that can be used or are designed to be used to restrict access to, 
or to facilitate concealment of, any computer hardware, computer software, computer-related 
documentation, or electronic data records. Such items include, but are not limited to, user names 
and passwords; data security hardware (such as encryption devices, chips, and circuit boards); 
data security software or information (such as test keys and encryption codes); and similar 
information that is required to access computer programs or data or to otherwise render programs 
or data into usable form. 

10. Any technology, product, service, device, component, or part thereof, that is primarily 
designed or produced for the purpose of circumventing a technological measure that effectively 
controls access to a work protected by the copyright laws, including but not limited to (a) 
AnyDVD; (b) Gordian Knot; (c) DVD2SVCD; (d) DVD Decrypter; (e) DVD Shrink; (f) 
DVD2AVI; and (g) VirtualDubMod. 

1 1 . Records, in whatever form, referencing or regarding warez activity, warez sites, or 
individuals who participate in warez activity including records pertaining to accounts held with 
Internet Service Providers or of Internet use. 

12. Storage media capable of collecting, storing, maintaining, retrieving, concealing, 
transmitting, and backing up electronic data used to conduct warez activity or which contains 
material or data obtained through warez activity. Included within this paragraph is any 
information stored in the form of electronic, magnetic, optical, or other coding on computer 
media or on media capable of being read by a computer or computer-related equipment, such as 
fixed hard disks, external hard disks, thumb drives, removable hard disks, floppy diskettes, 
compact disks (CDs), digital video disks (DVDs), tapes, optical storage devices, laser disks, or 
other memory storage devices. 

13. Equipment or any other media used to record or reproduce the movie, game or software 
to include but not limited to: camcorders (used to record movies in the theater), imaging 
equipment, and altered consoles used to play pirated games. 

14. Records, in whatever form, of personal and business activities relating to the operation 
and ownership of the computer systems, such as telephone records, notes, books, diaries, and 
reference materials and activities related to the operation of a warez site. 

15. Cellular Telephones, telephone records, including voice mail, under the control of Ray 
Morada. 



AFFIDAVIT IN SUPPORT OF ISSUANCE 
OF A SEARCH WARRANT 47 



Case 1 :06-mj-00086-JMF Document 1 -2 Filed 03/02/2006 Page 48 of 48 



AFFIDAVIT IN SUPPORT OF ISSUANCE 
OF A SEARCH WARRANT 48 



